Internal controls are a company’s system of checks and balances, a way to ensure that safeguards are in place to mitigate risk and promote a system of reliable, accurate financial reporting and efficient operations. Internal controls are designed to keep assets safe, practices compliant and guarantee that all policies and procedures are followed to the letter. Understanding the do’s and don’ts of internal controls is critical for public company auditors.

For smaller companies, entity-level controls (also called top-level controls or management review controls) can provide effectiveness for all controls.

“Entity-level controls are often related to the monitoring process and financial close and reporting cycle — although small companies may not refer to them in those words,” explains Wayne Kerr, senior consultant with Thomson Reuters. Kerr says that these top-level controls are items such as weekly or monthly top management reviews of financial information; approval of large transactions, such as disbursements or sales; and reviews of bank reconciliations.

“Smaller companies rely on these types of controls, in part, because they often lack the resources or capacity to incorporate separation of duties and other ‘prevent’ controls into their processes,” he adds.

With smaller public companies, auditors are charged with determining which controls to test and how to select controls that test multiple controls. This means that auditors should analyze all transactions to see if the related controls operate to the most effective degree, according to Kerr.

“If an auditor tests controls and determines that they are operating effectively, he or she can rely on those controls — which means he or she can reduce some of the other audit work that would otherwise be needed,” Kerr says.

According to the Public Company Accounting Oversight Board (PCAOB), a private, nonprofit entity formed to oversee public company auditors, the company’s complexity is a critical factor in an auditor’s assessment. The smaller the company, the less complex it may be due to fewer lines of business and management levels, explains the PCAOB.

It’s also more likely that with smaller companies, senior management is involved (or more involved) in the daily business activities and that these levels of management have a greater variety of control. As such, these smaller company variables could result “in material misstatement of the company’s financial statements and the controls that a company might establish to address those risks,” explains the PCAOB. To aid in risk mitigation, the PCAOB says there are certain key matters related to internal controls that are of particular interest to smaller company entities.

Smaller companies can use entity-level controls which then allow the auditor to provide evidence of internal control over financial reporting. Because smaller companies have fewer employees, these entities may use alternative approaches to the segregation of duties and the auditor is charged with reviewing these duties to ensure the control objectives are met.

Also, the use of off-the-shelf software may be more plausible with smaller companies, but this prompts auditors to then review the application controls within the computer program to ensure they are effectively operating and meeting the appropriate objective, explains the PCAOB.

Auditing Standards, Revised

Auditors can learn about testing internal controls for their clients through a variety of means, first by looking at the methodologies used by their audit firm, Kerr says, which would provide guidance on how to test. “In addition, there is guidance within the audit standards themselves,” he says. Further, the PCAOB offers guidance.

“Although this guidance is meant for public companies that are required to have internal controls under Section 404 of the Sarbanes-Oxley Act, the guidance is very good and could also be applied to small, non-public companies as well,” Kerr adds.

In 2007, the Securities and Exchange Commission passed Auditing Standard No. 5 to help auditors of public companies construct audits based on that company’s size and structure. Auditing Standard No. 5 replaces Auditing Standard No. 2 and provides new professional standards and related performance guidance for tax and accounting practitioners.

“I believe that Auditing Standard No. 5 is superior to Auditing Standard No. 2 because it focuses the auditor’s testing of controls on those controls that matter the most (top-level or management review controls). This may or may not strengthen investor protection, but I believe it makes the internal controls audit process more efficient without weakening investor protection.”

Kerr also explains that although non-public company audits “do not incorporate the requirements of Auditing Standard No. 5,” and even though testing controls are not required, they are allowed and “similar concepts apply.”

“The biggest difference is that auditors of non-public companies are not required to give an opinion on the operating effectiveness of an entity’s internal controls,” Kerr says. “Rather, they would test controls as a matter of audit effectiveness or efficiency.”

In short, internal controls for public companies are designed to protect against risk. Kerr also recommends that auditors consult with the American Institute of Certified Public Accountants (AICPA), which outlines the required sample sizes for monthly and weekly controls. Says Kerr: “As most small companies rely on controls that operate on a monthly or weekly basis, auditors should become familiar with this guidance in determining whether or not to test controls.”